‘Hardening’ your WordPress Installation

If you’re reading this and you own or administer a website, there’s a one in four chance you’re running a WordPress installation.

According to the latest figures from June 2016, WordPress now powers around 26% of all sites out there, making it by far the most common Content Management System (CMS) on the Internet. Thanks to its comparative ease of use and its ability to “grow and expand” with its users’ level of knowledge, WP is now installed on far more domains than any other system. However, this overwhelming popularity also makes WordPress the most attacked CMS on the Web, by far.

When one popular WordPress security provider decided to measure the number of Brute-Force Attacks¹ on just a small number of sample websites, they charted a massive 6,611,909 attacks targeting 72,532 individual websites in a test period of just sixteen hours. Given the fact that the domains monitored by this test amounted to less than 1% of all WordPress sites online, the total number of hourly attacks on just this one CMS alone is frankly staggering.

I regularly describe WP as being the Swiss Cheese of Security, since it can’t even defend itself against the countless aforementioned “Brute Force Attacks” on its own². By the time you also factor the myriad other ways to actually breach an undefended WordPress installation, what you have is a Website with a “Hack me” sign taped to its back, unless you enable some additional security.

WordPress really needs a Guard Dog.

Actually, it really needs to be taught basic self-defense against intrusion and hacking attempts, but that doesn’t look like it’s going to happen anytime soon. Therefore, in lieu of waiting for the WordPress Foundation to address these fairly basic flaws, here are some tips on keeping your site clean and uncompromised.

Important Note:As a WordPress user, the first thing you need to realize is that there’s no such thing as perfect security. No matter how good your intrusion protection and/or security plugins, there’s always a chance of something slipping through the net.

With this information firmly in mind, what you’re looking for is a setup which not only keeps out malicious attackers, but which also backs itself up at regular intervals. This is vital, since it’s much easier to restore a clean backup if things go wrong, than it is to thoroughly disinfect an entire WordPress installation from the ground up. I learned that the hard way.

Next you need to decide on which of the countless Security and Backup Plugins to install.

The choices are wide, varied, and oftentimes confusing for the novice, with each plugin’s “Sales Blurb” assuring potential users that it provides the greatest security this side of Fort Knox, or that its backups are made of Diamond, Titanium, or some other equally indestructible substance. Over the years I’ve field-tested most of them, and found many of their hyperbolic claims to be predictably bogus. Here’s the combination I eventually settled on after much research:

Wordfence with a Side Order of UpdraftPlus

because without installing decent intruder protection none of your backups are 100% safe.

With over a million active installs, this security plugin is one of the ‘Big Dogs in the Park‘. I’ve used a number of its competitors, and I’ve found Wordfence not only to be “easy to get along with“, but extremely competent too. It’s also the only security plugin I’ve ever considered worth paying for. This is a crucial point I’ll get back to shortly.

because the last place you want your backups to be stored is on your own site.

Again, this is one of the more popular WordPress backup solutions, with over 800k active installs. It’s simple to set up, regular as clockwork, and it will store your backups offsite without any problems at all. In fact, if you’re setting up a ‘Rolling Backup Cycle‘ (which you’ll want to), this plugin is basically invaluable. Once again, it’s the only backup plugin I’ve ever paid for… which brings me back to yet another…

Important Note: If you value your website and/or if you’re trying to make money with it, do not rely on free solutions, no matter what their developers promise you. Every website I launch costs me approximately $80 (USD) per year for professional Wordfence and UpdraftPlus licenses. In return I get a WordPress installation that’s basically impervious to anything once I’ve finished hardening it. Wordfence is exceedingly competent at keeping out intruders in the first place³. Should anything go wrong in spite of this protection , my Updraft rolling backup cycle allows me to restore a clean version from up to two weeks before any attack has succeeded.

Even though the free version of Wordfence is as competent a WordPress Security Plugin as you could wish for, its threat definitions are only updated once a month, while the paid version updates in real time. Depending on the vulnerabilities your installation exposes you to, a month is an insupportable time period to leave your website unguarded for. UpdaftPlus can be configured to run automatic backups every few minutes/hours/days, and upload them to Google Drive, Dropbox, Amazon, and a number of other Cloud Storage providers. By setting UpDraftPlus to retain the last [x] number of backups you can create a rolling archive, to be restored at will and within minutes. Of course you’re also able to download individual backups to your own computer, for additional peace of mind.

I’ve run Wordfence and UpdraftPlus in tandem for a couple of years now, with upward of ten licenses for each plugin. Only once has a site of mine been breached during this time, and investigation revealed that mishap to be my [ex]hosting company’s fault, so I really cannot blame Wordfence in the slightest.

Do not take the security of your WordPress Installation lightly.

During a decade as part of Google’s Webmaster Support System I’ve seen too many sites get ruined by hacking incidents, simply due to insufficient protection and preparation.

¹A Brute Force Attack is essentially an attempt to gain access to the WordPress system by trying to log in via an infinite number of Username/Password combinations. Given many users’ propensity to use obvious usernames and simple passwords, this technique is still far more effective than it really has any right to be. Wikipedia Article

²The natural way to defend against Brute Force Attacks would of course be to limit the number of login attempts by any one Computer/IP Address, but even such a basic precaution is still not a native WordPress feature as I sit here penning this post.